Organizing Parameters into
Hierarchies

Managing dozens or hundreds of parameters as a flat list is time consuming and
prone to errors. It can also be difficult to identify the correct parameter for a
task. This means you might accidentally use the wrong parameter, or you might create
multiple parameters that use the same configuration data.

You can use parameter hierarchies to help you organize and manage parameters. A
hierarchy is a parameter name that includes a path that you define by using forward
slashes. Here is an example that uses three hierarchy levels in the name to identify
the following:

/Environment/Type of computer/Application/Data

/Dev/DBServer/MySQL/db-string13

You can create a hierarchy with a maximum of 15 levels. We suggest that you create
hierarchies that reflect an existing hierarchical structure in your environment, as
shown in the following examples:

Parameter hierarchies standardize the way you create parameters and make it easier
to manage parameters over time. A parameter hierarchy can also help you identify the
correct parameter for a configuration task. This helps you to avoid creating
multiple parameters with the same configuration data.

You can create a hierarchy that allows you to share parameters across different
environments, as shown in the following examples that use passwords in development
and staging environment.

/DevTest/MyApp/database/db_password

You could then create a unique password for your production environment, as shown
in the following example:

/prod/MyApp/database/db_password

You are not required to specify a parameter hierarchy. You can create parameters
at level one. These are called root parameters. For backward
compatibility, all parameters created in Parameter Store before hierarchies were released
are root parameters. The systems treats both of the following parameters as root
parameters.

Another benefit of using hierarchies is the ability to query for all
parameters within a hierarchy by using the GetParametersByPath
API action. For example, if you execute the following command from the AWS CLI,
the system returns all parameters in the IIS level.

aws ssm get-parameters-by-path --path /Dev/Web/IIS

To view decrypted SecureString parameters in a hierarchy, you specify the path and
the --with-decryption parameter, as shown in the following
example.

aws ssm get-parameters-by-path --path /Prod/ERP/SAP --with-decryption

Restricting IAM Permissions Using Hierarchies

Using hierarchies and AWS Identity and Access Management (IAM) policies for Parameter
Store API actions, you
can provide or restrict access to all parameters in one level of a hierarchy.
The following example policy allows all Parameter Store operations on all parameters
for the AWS account 123456789012 in the us-east-1 Region. The user can't create
parameters because the PutParameter action is explicitly denied.
This policy also forbids the user from calling the
GetParametersByPath action.